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PRELIMINARY AMENDMENT 



Sir: 

Please enter this Preliminary Amendment for the above-identified national phase 
application. 



AMENDMENT 

In The Title: 

Please cancel the English version of the title of the invention as pruited in the front page of the PCT 
publication, and substitute therefor: 

- METHOD OF TRANSPORTING PACKETS BETWEEN AN ACCESS INTERFACE OF A 
SUBSCRIBER INSTALLATION AND A SHARED NETWORK, AND ACCESS INTERFACE 
IMPLEMENTING SUCH METHOD - 

In The Specification: 

Page 4, between lines 18 and 19, insert the headmg: 

- BRIEF DESCRIPTION OF THE DRAWINGS -- 
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Page 4, between lines 3 1 and 32, insert the heading: 
DESCRIPTION OF PREFERRED EMBODIMENTS 

In the Abstract: 

Please cancel the Abstract as printed in the front page of the PCT publication, and insert therefor 
the following Abstract. 

- ABSTRACT 

For transporting packets between an access interface of a subscriber installation and a 
concentrating router of a shared network the access interface carries out control operations on streams of 
packets transmitted to the concentrating router, within the framework of a contract between the 
subscriber and a manager of the shared network. After having carried out the control operations 
concerning a packet to be transmitted, the access interface transmits this packet to the concentrating 
router with a signature based on a secret shared with the concentrating router, authenticating that the 
packet has been subjected to the control operations. — 

In the Claims: 

Please amend Claims 1-10 to read as follows. A set of amended claims, red-lined to show the 
amendments, is attached hereto. 

L (Amended) A method of transporting packets between an access interface of a subscriber installation 
and a concentrating router of a shared network, comprising the steps of: 

carrying out, at the access interface, control operations on streams of packets transmitted to 
the concentrating router, within the framework of a contract between the subscriber and a manager 
of the shared network, and 

after having carried out the control operations concerning a packet to be transmitted, 
transmitting said packet from the access interface to the concentrating router with a signature 
based on a secret shared with the concentrating router, authenticating that the packet has been 
subjected to the control operations. 

2. (Amended) A method according to claim 1, wherein the signature consists of a code word added to 
the content of the packet. 
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3. (Amended) A method according to claim 2, wherein said code word is calculated by hashing at least 
part of a content of the packet, involving the shared secret. 

4. (Amended) A method according to claim 1, wherein the signature consists of an enciphering of a 
content of the packet by means of a private key forming said shared secret. 

5. (Amended) A method according to claim 1, wherein the obtaining of the signature and at least some 
of the control operations are carried out within a single integrated circuit, without physical access 
immediately upstream of the obtaining of the signature. 

6. (Amended) An access interface for linking an access router of a subscriber installation to a 
concentrating router of a shared network, comprising: 

means for controlling streams of packets transmitted to the concentrating router, within the 
framework of a contract between the subscriber and a manager of the shared network, and 

signature means receiving the packets delivered by the stream control means and producing 
signed packets transmitted to the concentrating router, each signed packet comprising a signature 
based on a secret shared with the concentrating router, authenticating that the packet has been 
subjected to the stream control means. 

7. (Amended) An interface according to claim 6, wherein the signature consists of a code word added 
to the content of the packet. 

8. (Amended) An interface according to claim 7, wherein the signature means include means for 
calculating said code word by hashing at least part of a content of the packet, involving the shared secret. 

9. (Amended) An interface according to claim 6, wherein the signature consists of an enciphering of a 
content of the packet by means of a private key forming said shared secret. 

10. (Amended) An interface according to claim 6, wherein the signature means and at least part of the 
stream control means belong to a single integrated circuit, without physical access between the stream 
control means and the signature means. 
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REMARKS 



The present application is a national phase filing under 35 U.S.C. 371 of PCT/FR99/03097. 
PCT/FR99/03097 claims priority to FRNo. 98/15756 filed on December 14, 1998, as indicated on the 
PCT cover page of the international application, as filed in French, submitted herewith. 

Applicant submits that the present amendments introduce no new matter. Claims 1-10 are 
pending in the application. The Examiner is invited to call the undersigned, if the Examiner believes that 
a telephone conversation could be helpful in expediting prosecution of the instant application.. 



Respectfully submitted, 



Date: June 14,2001 
Reg. No. 41,418 




Tel. No.: (6 17) 248-7240 
Fax No.: (617) 248-7100 



Patrick R. H. Waller 

Agent for Applicant(s) 

Testa, Hurwitz, & Thibeault, llp 

High Street Tower 

125 High Street 

Boston, Massachusetts 02 1 1 0 
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CLAIM AMENDMENTS (RED-LINED VERSION) 

1. (Amended) A [M]method of transporting packets between an access interface [(16)] of a subscriber 
installation [(13)] and a concentrating router [(12)] of a shared network [(10), characterized in that the 
access interface carries out] . comprising the steps of: 

carrying out, at the access interface, control operations on streams of packets transmitted to 
the concentrating router, within the framework of a contract between the subscriber and a manager 
of the shared network, and [in that] 

after having carried out the control operations concerning a packet to be transmitted, [the 
access interface transmits this] transmitting said packet from the access interface to the 
concentrating router with a signature based on a secret shared with the concentrating router, 
authenticating that the packet has been subjected to the control operations, 

2. (Amended) A [M]method according to claim 1, [in which] wherein the signature consists of a code 
word added to the content of the packet. 

3. (Amended) A [M]method according to claim 2, [in which] wherein said code word is calculated by 
[a technique of] hashing [a part] at least part of [the] a content of the packet, involving the shared secret. 

4. (Amended) A [M]method according to claim 1, [in which] wherein the signature consists of an 
enciphering of [the] a content of the packet [with the aid] by means of a private key forming said shared 
secret. 

5. (Amended) A [M]method according to [any one of claims 1 to 4, in which] claim L wherein the 
obtaining of the signature and [certain] at least some of the control operations are carried out within [one 
and the same] a single integrated circuit, without physical access immediately upstream of the obtaining 
of the signature. 

6. (Amended) An [A]access interface for linking an access router [(15)] of a subscriber installation 
[(13)] to a concentrating router [(12)] of a shared network [(10), characterized in that it comprises] ^ 
comprising: 

means [(39)] for controlling streams of packets transmitted to the concentrating router, 
within the framework of a contract between the subscriber and a manager of the shared network, 
and 
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signature means [(40)] receiving the packets delivered by the stream control means and 
producing signed packets transmitted to the concentrating router, each signed packet comprising a 
signature based on a secret shared with the concentrating router, authenticating that the packet has 
been subjected to the stream control means. 

7. (Amended) An [interface according to claim 6, [in which] wherein the signature consists of a code 
word added to the content of the packet. 

8. (Amended) An [IJinterface according to claim 7, [in which] wherein [said code word is calculated 
by] the signature means [(40)] include means for calculating said code word by [a technique of] hashing 
[a part] at least p^ of [the] a content of the packet, involving the shared secret. 

9. (Amended) An [I]interface according to claim 6, [in which] wherein the signature consists of an 
enciphering of [the] a content of the packet [with the aid] by means of a private key forming said shared 
secret. 

10. (Amended) An [I] interface according to [any one of claims 6 to 9, in which] claim 6. wherein the 
signature means [(40)] and [a part] at least part of the stream control means [(39) form part of one and 
the same] belong to a single integrated circuit, without physical access between the stream control means 
and the signature means. 
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The present invention relates to packet based 



transmission networks. It applies in particular, but 
not exclusively, to shared networks operating according 
to the Internet protocol (IP) . 



within the framework of contractual relations between a 
provider of access to the shared network and his 
customers. The provider is furnished, for the 
attachment of the installations of his customers, with 

15 one or more concentrating routers for the shared 
network. Transmission lines link this concentrating 
router to the access interfaces of the customers' 
installations/ which may be private network access 
router interfaces . 

20 Here, the expression ^^police" functions 

designates various processing or control operations 
performed at the level of an interface of the network 
on data streams which pass through it. By way of 
nonlimiting examples, mention may be made of the 

25 counting of the packets exchanged between a given 
source address and a given destination address, the 
allocating of priorities to certain packets, address 
translations, the selective destruction of certain 
packets, etc. 

30 These police functions may be included within a 

contractual framework between a subscriber (customer) 
and a manager of the network (provider of services) . 
Such may for example be the case with functions 
relating to billing, to flow control, to authorization 

35 for access to certain sites linked to the network, to 
the implementing of reservation protocols such as RSVP, 
etc. They may also be included within the framework of 
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the internal organization of a public or private 
network, for example to control certain accesses. 

Customarily, the police functions pertaining to 
the contractual framework between the access provider 
and his customers are implemented at the level of the 
concentrating router's attachment interfaces. This 
router hosts software for controlling the streams which 
travel around its various interfaces. The packets 
having certain originating or destination addresses or 
ports are counted, filtered, rearranged etc. according 
to the type of service offered. Owing to the large 
number of installations which may be linked to the 
concentrating router and to the variety of services 
which may be rendered in respect of these 
installations, the various stream controls to be 
applied may considerably increase the complexity of the 
router. This drawback is all the more noticeable as 
more and more diverse processing operations are 
requested by customers or required by new reservation 
protocols , 

Moreover, this organization is not flexible for 
the customer who wishes to tailor certain 
characteristics of the service offered to him. To do 
this he must turn to his provider so that the latter 
may make the changes required at the level of his 
concentrating router . 

An aim of the present invention is to propose a 
mode of operation of the network which enables a wide 
diversity of stream controls to be taken into account 
without resulting in an excessive increase in the 
complexity of the concentrating routers, and with a 
relative flexibility of configuration. 

The invention thus proposes a method of 
transporting packets between an access interface of a 
subscriber installation and a concentrating router of a 
shared network, in which the access interface carries 
out control operations on streams of packets 
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transmitted to the concentrating router, within the 
framework of a contract between the subscriber and a 
manager of the shared network. After having carried out 
the control operations concerning a packet to be 
transmitted, the access interface transmits this packet 
to the concentrating router with a signature based on a 
secret shared with the concentrating router, 
authenticating that the packet has been subjected to 
the control operations . 

Preferably, the obtaining of the signature and 
certain at least of the control operations are carried 
out within one and the same integrated circuit, without 
physical access immediately upstream of the obtaining 
of the signature. 

The steam controls pertaining to the 
contractual framework between the manager of the 
network and the subscriber are thus decentralized, 
thereby avoiding the need for the concentrating router 
to take on all the diversity of the operations demanded 
by the various subscriptions . The mechanism for signing 
the packets guarantees to the manager of the network 
that the subscriber, who is furnished with the access 
interface at his premises, does not send him packets 
which have not been subjected to the stream control 
operations, that is to say which have sidestepped the 
police and billing functions. 

The method gives rise to a distributed 
architecture of access and of concentration, which is 
well suited to taking account of the increases in 
traffic and in diversity of services which future 
applications will entail . 

The subscriber benefits moreover from greater 
flexibility for dynamically defining the 

characteristics of his subscription. He merely needs to 
intervene at the level of the access interface with 
which he is furnished. He may moreover define the 
police functions pertaining to the contractual 
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framework with the access provider on the same platform 
as the other police functions which he uses for the 
internal organization of his installation, thereby 
simplifying organization thereof. 

Another aspect of the present invention 
concerns an access interface for linking an access 
router of a subscriber installation to a concentrating 
router of a shared network, comprising means for 
controlling streams of packets transmitted to the 
concentrating router, within the framework of a 
contract between the subscriber and a manager of the 
shared network, and signature means receiving the 
packets delivered by the stream control means and 
producing signed packets transmitted to the 
concentrating router, each signed packet comprising a 
signature based on a secret shared with the 
concentrating router, authenticating that the packet 
has been subjected to the stream control means. 

Other features and advantages of the present 
invention will become apparent in the following 
description of nonlimiting exemplary embodiments, with 
reference to the appended drawings, in which: 

- figure 1 is a diagram of a network where the 
invention may be implemented; 

- figure 2 is a schematic diagram of an access 
router of a private installation of this network; 

- figure 3 is a schematic diagram of a stream 
processing device forming part of an interface of the 
router of figure 2; and 

- figure 4 is a graph of elementary processing 
operations undertaken by the device of figure 3. 

Figure 1 shows a . wide area shared network (WAN) 
10 comprising a certain number of interconnected 
routers and switches 11, 12. The case where the shared 
network 10 operates according to the IP protocol is 
considered here. A certain number of the routers are 
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concentrating routers 12 to which private installations 
13 are linked. 

A private subscriber installation 13 is 
typically linked to the shared network 10 by means of 
5 an access router 15, one of whose interfaces 16 is 
linked to a line 17 for transmission from and to the 
concentrating router 12. The access router 15 can be 
linked to other routers of the private installation 13 
or to servers or terminals 18 of this installation, by 
10 means of other interfaces, which are not represented in 
figure 1 . 

Figure 2 shows an exemplary architecture of the 
access router 15. The outside interface 16, and also 
the interfaces 20, 21 with the remainder of the private 
15 installation 13, are linked to the core of the router 
consisting of a packet forwarding engine 22. The 
H forwarding engine 22 forwards the packets from one 

interface to another on the basis of the address fields 
and port fields contained in the headers of the packets 
20 in accordance with the IP protocol and with any 
extensions thereof (TCP, UDP, etc) , by referring to 
routing tables. 

Certain of the interfaces of the access router 
15 are provided, in just one or in both directions of 
25 transmission, with processing devices, or stream 
processors, 24, 25 undertaking police functions. In the 
illustrative example of figure 2, the device 24 is 
fitted to the outside interface 16 in the outgoing 
direction, and the device 25 is fitted to another 
30 interface 20 in the incoming direction. 

The access router is supervised by a management 
unit 26 which can consist of a microcomputer or a work 
station which executes routing software serving in 
particular to configure the routing table of the 
35 forwarding engine 22 and the stream processors 24, 25 
and to exchange control or protocol information with 
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them. These commands and exchanges are effected by way 
of an appropriate software programming interface (API) . 

Most of the existing packet routing and 
forwarding software is readily available in the Unix 
5 environment^ but its performance is customarily limited 
on account of the frequent interruptions of the 
operating system. It is much faster to use a real time 
operating system such as VxWorks, but this complicates 
the implementation of the routing software. 
10 The role of the stream processors 24, 25 is to 

assist the non-real time operating system (such as 
Unix) , on the basis of which the management unit 2 6 
functions, in the complex tasks for manipulating the 
O streams which require real time performance 

55 15 (forwarding, filtering, enciphering, etc.). These 
pi processors implement a certain number of tools for 

manipulating the streams which may be linked 
m dynamically according to any • combination so as to 

^ perform the task required. This configuration can be 

20 achieved through the Unix operating system by calling 
0 the API functions, thereby greatly facilitating the 

setting up of new functionalities by the programmer, 
p As illustrated diagrammatically by figure 1, 

^ one of the tasks performed by the stream processor 24 

25 of the outside interface 16 of the access router 15 
consists in transmitting each packet to the 
concentrating router 12 while appending a digital 
signature (block 40) thereto. This signature attests 
that the packets in question have been subjected to the 
30 other stream control operations (block 39) performed by 
the processor 24. 

The corresponding interface 28 of the 
concentrating router 12 comprises a module for 
analyzing the packets received on the line 17 so as to 
35 make sure that the signature is present. 

This signature technique advantageously makes 
it possible to decentralize the stream control 
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operations necessary for the contractual relations 
between the manager of the concentrating router 12, 
which provides the service of attachment to the shared 
network 10, and the subscribers whose installations 13 
are linked to this concentrating router 12. In the 
conventional embodiments, these stream control 
operations are performed at the level of the 
concentrating router. This results in considerable 
complexity of the concentrating router when it is 
attached to a fairly large number of private 
installations, and a lack of flexibility for the 
subscribers when modifications are required. 

By performing these stream control operations 
at the level of the access routers 15, great 
flexibility is afforded in this regard. The signing of 
the packets then guarantees to the service provider 
that the line 17 does not send him valid packets which 
depart from the contractual framework with the 
subscriber. If such a packet were to appear, the 
interface 28 of the concentrating router 12 would 
simply eliminate it after having noted the absence of 
the appropriate signature. 

Various conventional processes may be used to 
construct and analyze the signature of the packets, on 
the basis of a secret shared between the routers 12 and 
15. The signature can in particular have the form of a 
code word added to the content of the packet, and 
calculated on the basis of all or part of this content 
and of a secret key, the calculation being performed 
with the aid of a function which is extremely difficult 
to invert in order to recover the secret key. It is 
thus possible to use a technique of hashing the content 
of the packet, or of just a part of this content, for 
example an MD5 hashing (see R. Rivest, RFC 1231, '"The 
MD5 Message Digest Algorithm") . 

It is also possible to use an enciphering 
process to form the signature of the packets. The 
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content of the packet is then enciphered with the aid 
of a private key, the interface 28 of the concentrating 
router undertaking the corresponding deciphering with 
the aid of a public or private key. The unenciphered 
packets, or those enciphered by means of a wrong key 
are then destroyed at the level of the interface 28. 

As an option, provision may be made for the 
interface 28 of the concentrating router to also sign 
the packets which it transmits on the line 17, and for 
the interface 16 of the access router to verify this 
signature so as to make sure that the packets received 
are valid. 

Figure 3 shows the organization of a stream 
processor 24 or 25 of an interface of the access router 
15. 

The stream processor receives a sequence of 
incoming packets 30 each comprising a header 31 in 
accordance with the IP protocol, and delivers a 
sequence of outgoing packets 32 having a header 33 
after having performed certain elementary processing 
operations whose nature depends on the data streams 
concerned . 

The incoming packets 30 are stowed away in a 
packets memory 35 organized as a first in-first out 
(FIFO) stack . Each packet is fed to the memory 35 with 
a processing label 36. The processing label initially 
has a specified value (0 in the example represented) 
for the incoming packets 30. 

The stream processor is supervised by a unit 37 
which cooperates with a table 38 making it possible to 
associate a particular processing module with each 
value of the processing label. In the simplified 
example represented in figure 3, the stream processor 
comprises an assembly of five processing modules Ml - 
M5 effecting elementary processing operations of 
different kind. 
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After the execution of an elementary processing 
operation, the supervisory unit 37 consults the packets 
memory 35. If the latter is not empty, a packet is 
extracted therefrom according to the FIFO organization. 
The supervisory unit 37 consults the table 38 to 
determine which processing module corresponds to the 
label of this packet. The unit 37 then activates the 
module in question so that it performs the 
corresponding elementary processing operation. In 
certain cases, this elementary processing operation may 
entail a modification of the content of the packet, in 
particular its header. 

It will be understood that the '"extraction" of 
the packet, to which reference is made, is an 
extraction in the logical sense from the FIFO memory. 
The packet is not necessarily removed from the memory. 
The addresses of the packets in the memory 35 can be 
managed in a conventional manner by means of pointers 
so as to comply with the FIFO organization. The 
activated processing module can be furnished simply 
with the address of the current packet so as to perform 
the required reads, analyses, modifications or 
deletions as appropriate. 

The first processing module Ml, associated with 
the initial label 0, is a filtering module which 
analyzes the address field and/or protocol definition 
field and/or port field of the IP header of the 
packets . With the help of an association table Tl , the 
filtering module Ml delivers a second processing label 
which identifies a string of elementary processing 
operations which will subsequently have to be performed 
on the packet. After having determined the second 
processing label for the packet extracted from the 
memory 35, the filtering module Ml stows away the 
packet in the memory 35 again, with the second 
processing label. The next elementary processing 
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operation will then be executed when the packet is 
again extracted from the memory. 

The module M2 is a module for counting the 
packets relating to certain streams. In the case of the 
association table 38 represented in figure 3, this 
module M2 is called for the processing labels 2 and 4. 
When it processes a packet, the module M2 increments a 
counter with the number of bytes of the packet, or else 
with the value 1 in the case of a packets counter. The 
counter can be made secure, in particular if it serves 
for the billing of the subscriber by the manager of the 
network 10. In the case of a secure counter, requests 
are regularly made to the access provider to obtain 
transmission credits, the relevant packets being 
destroyed if the credit is used up. 

The module M3 of figure 3 is a priorities 
management module. In the case of the association table 
38 represented in figure 3, this module M3 is called 
for the processing label 3. The module M3 operates on 
the TOS ("'Type of Service'') field of the IP header of 
the packets. The TOS is used in the network to manage 
forwarding priorities so as to provide a certain 
quality of service on certain links. The TOS field can 
be changed according to prerecorded tables. These 
tables can be defined under the control of the access 
provider so as to prevent packets being inappropriately 
transmitted with a high priority, which might disturb 
the network . 

The elementary processing operation performed 
last on a packet of the memory 35 is either its 
destruction (module M4 activated by the label 8), or 
its resubmission to the output of the stream processor 
(module M5 activated by the label 5 or 9) . The module 
M4 can be used to destroy packets having a certain 
destination and/or a certain origin . 

The modules M2 and M3, which do not terminate 
the processing operations to be undertaken in respect 
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of a packet (except in the case of destruction) , each 
operate with a label translation table T2, T3, This 
translation table designates, for the processing label 
extracted from the memory 35 with the current packet, 
another processing label designating the next 
elementary processing operation to be undertaken. The 
elementary processing operation undertaken by this 
module M2 or M3 terminates with the associating of the 
packet with this other processing label and the 
reinjecting of the packet thus processed into the 
memory 35. 

In this way, highly varied combinations of 
processing operations can be performed on the various 
data streams passing through the processor. 

Figure 4 shows a simplified example 
corresponding to the tables 38, Tl - T3 represented in 
figure 3. The incoming packet 30, associated with the 
first label 0, is firstly subjected to the filtering 
effected by the module Ml. 

In the particular case considered, the stream 
processor 24 counts the packets transmitted from a 
source address ASl to a destination address ADl and a 
port PI, and modifies the TOS field of these packets 
before delivering them on the line 17, this 
corresponding to the upper branch of the graph of 
figure 4. Moreover, the stream processor 24 counts the 
packets emanating from a source address AS2 heading for 
a port P2 before destroying them, this corresponding to 
the lower branch of figure 4. The other packets are 
simply delivered to the line 17 . The default value ( 9 ) 
of the processing label returned by the module Ml 
therefore simply designates the output module M5 . If 
the module Ml detects in the packet extracted from the 
memory 35 the combination ASl, ADl, PI in the relevant 
address and port fields, it returns the packet with the 
processing label 2. If the values AS2, P2 are detected 
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in the address and port fields, it is the label 4 which 
is returned with the packet. 

These labels 2 and 4 both correspond to the 
counting module M2 . The label will also designate for 
5 this module the memory address of the counter which has 
to be incremented. The table T2 with which the module 
M2 operates will make it possible at the end of 
processing to perform the return to the next module to 
be activated (M3 designated by the label 3 for the 
10 packets whose TOS has to be changed, M4 designated by 
the label 8 for the packets to be destroyed) . 

The module M3 receives packets with the 
p processing label 3, and returns them with the label 9 

C after having made the required modification of the TOS 

m 15 field. 

P3 From this simplified example it can be seen 

that the stream processor makes it possible, through 
the identification of a stream by the filtering module 
^' Ml, to perform various combinations of elementary 

p 20 processing operations in a relatively simple and fast 
manner. 

f4 A main advantage of this way of proceeding is 

1^^ the flexibility of the operations for configuring the 

stream processor. The tables 38, Tl - T3 which define 

25 any graph of elementary processing operations, such as 
the one represented in figure 4, can be constructed 
relatively simply and with a small real time constraint 
by means of the management unit 36 through the API. The 
same holds in respect of the information enabling the 

30 modules Ml - M5 to perform their elementary processing 
operations (description of the counts to be performed 
by the module M2, way of changing the TOS fields by the 
module M3 , etc . ) . 

In practice, the stream processor may comprise 

35 various processing modules other than those represented 
by way of example in figures 3 and 4, according to the 
requirements of each particular installation (for 
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example, module for managing the output queues, address 
translation module, etc.) 

The function of signing the packets 
transmitted, which was described earlier, can form part 
of the elementary processing undertaken by the output 
module M5 , In a typical embodiment of the access 
router, the stream processor 24 will be included in an 
application specific integrated circuit (ASIC) 
organized around a microcontroller core. This 
embodiment allows there to be no physical access 
between the stream control modules 39 (at least those 
which pertain to the relations between the subscriber 
and the manager of the network 10) and the module M5 
which is responsible for signing the packets, 
corresponding to the block 40 of figure 1. This 
improves the security of the link from the viewpoint of 
the manager of the network. 
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Claims 

1 . Method of transporting packets between an 
access interface (16) of a subscriber installation (13) 

5 and a concentrating router (12) of a shared network 
(10) , characterized in that the access interface 
carries out control operations on streams of packets 
transmitted to the concentrating router, within the 
framework of a contract between the subscriber and a 

10 manager of the shared network, and in that after having 
carried out the control operations concerning a packet 
to be transmitted, the access interface transmits this 
packet to the concentrating router with a signature 
based on a secret shared with the concentrating router, 

15 authenticating that the packet has been subjected to 
the control operations. 

2. Method according to claim 1, in which the 
signature consists of a code word added to the content 
of the packet. 

20 3. Method according to claim 2, in which said code 

word is calculated by a technique of hashing a part at 
least of the content of the packet, involving the 
shared secret. 

4. Method according to claim 1, in which the 
25 signature consists of an enciphering of the content of 

the packet with the aid of a private key forming said 
shared secret. 

5. Method according to any one of claims 1 to 4, 
in which the obtaining of the signature and certain at 

30 least of the control operations are carried out within 
one and the same integrated circuit, without physical 
access immediately upstream of the obtaining of the 
signature . 

6. Access interface for linking an access router 
35 (15) of a subscriber installation (13) to a 

concentrating router (12) of a shared network (10) , 
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characterized in that it comprises means (39) for 
controlling streams of packets transmitted to the 
concentrating router, within the framework of a 
contract between the subscriber and a manager of the 
shared network, and signature means (40) receiving the 
packets delivered by the stream control means and 
producing signed packets transmitted to the 
concentrating router, each signed packet comprising a 
signature based on a secret shared with the 
concentrating router, authenticating that the packet 
has been subjected to the stream control means. 

7. Interface according to claim 6, in which the 
signature consists of a code word added to the content 
of the packet. 

8. Interface according to claim 7, in which said 
code word is calculated by the signature means (40) by 
a technique of hashing a part at least of the content 
of the packet, involving the shared secret. 

9. Interface according to claim 6, in which the 
signature consists of an enciphering of the content of 
the packet with the aid of a private key forming said 
shared secret. 

10. Interface according to any one of claims 6 to 
9, in which the signature means (40) and a part at 
least of the stream control means (39) form part of one 
and the same integrated circuit, without physical 
access between the stream control means and the 
signature means. 
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